Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()
CVE-2026-40519

7.7HIGH

Key Information:

Vendor

Nginxproxymanager

Status
Nginx-proxy-manager
Vendor
CVE Published:
8 June 2026

What is CVE-2026-40519?

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.

Affected Version(s)

nginx-proxy-manager 2.9.14 <= 2.15.1

nginx-proxy-manager 2.9.14 <= 2.15.1

nginx-proxy-manager a5db5ed156355e3088e7d1ceb0533d4bae922def

References

https://github.com/NginxProxyManager/nginx-proxy-manager/...
issue-tracking
https://github.com/NginxProxyManager/nginx-proxy-manager/...
patch
https://www.vulncheck.com/advisories/nginx-proxy-manager-...
third-party-advisory

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yassine Damiri
.